safely and efficiently multiprogramming a 64kb computer › talks › tock-sitp17.pdf ·...
TRANSCRIPT
![Page 1: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/1.jpg)
Safely and Efficiently Multiprogramming a 64kBComputer
Amit Levy Daniel Giffin Bradford Campbell BrandenGhena Pat Pannuto Prabal Dutta Philip Levis Niklas
Adolfsson Fredrik Nilsson Josh Adkins Neal Jacksonet al. . .
June 14th, 2017
![Page 2: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/2.jpg)
{ U2F AppIndicateAttest
Register
U2FHID
P-256
HOTPKey-
boardHID
Count HMAC
GPG Smart Card
KeyGen
CCIDECC/RSA
CapacitiveTouch
AsyncTimer
High PrecisionTimer
GPIO
FlashRNGRNG
RNGUSB RNGSHARNGAES
EncryptionOracle
VirtualEndpoint
Count
Emerging class of embedded applications are software platforms,rather than single purpose devices.
![Page 3: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/3.jpg)
Embedded Software
I No isolation between components
I Deeply coupled components
I Static memory allocation to avoid unrecoverable runtimememory exhaustion
I Fixed concurrency at compile-time
![Page 4: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/4.jpg)
Embedded Hardware
I Low-power budget—micro-amps average current consumption
I 64kB of RAM
I Memory Protection Unit—a limited hardware protectionmechanism
![Page 5: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/5.jpg)
Challenges
I How to isolate components despite minimnal hardwareresouces?
I How to replace individual components without restarting thewhole system?
I How to avoid fixed concurrency with limited memory
![Page 6: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/6.jpg)
Common Solutions
I Give up on isolation—write completely bug-free code
I Whole system updates only
I Use *nix et al—forget about low power
![Page 7: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/7.jpg)
Common Solutions
I Give up on isolation—write completely bug-free code
I Whole system updates only
I Use *nix et al—forget about low power
![Page 8: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/8.jpg)
Common Solutions
I Give up on isolation—write completely bug-free code
I Whole system updates only
I Use *nix et al—forget about low power
![Page 9: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/9.jpg)
Tock
![Page 10: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/10.jpg)
Tock is a new operating system for low-power platforms that takesadvantage of the limited hardware-protection mechanisms availableon recent microcontrollers and the type-safety features of the Rustprogramming language to provide a multiprogrammingenvironment:
I Isolation of software faults
I Efficient memory protection and management for dynamicapplication workloads
I Update/restart/remove individual (user-space) componentsindependently
I Retains dependability requirements of long-running devices.
![Page 11: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/11.jpg)
Tock Architecutre
Virtual Alarm
Timer SysCalls
Timer Driver
Timer I2CSPI
RF233 Driver
SPI Driver
802.15.4 Net.
Peripherals
Microcontroller
Kernel
Processes
I2C Driver
Temp Sensor
![Page 12: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/12.jpg)
Capsules
I Capsules are components in the kernelI Minimal runtime overhead:
I Isolated “at compile-time” using the Rust languagetype/module system
I Cooperatively scheduledI Can eliminate most isolation at compile-time
Capsules can. . .
I Violate real-time guarantees
I Panic (sort of. . . lets talk. . . )
But they cannot. . .
I Read arbitrary memory (secret encryption keys)
I Communicate with peripherals it’s not allowed to
![Page 13: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/13.jpg)
Capsules
Stronger memory isolation than hardware protection?
struct DMAChannel {...
enabled: bool,
buffer: &’static [u8],
}
Typing hardware register can constrain allowed values with veryfine granularity.
![Page 14: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/14.jpg)
Processes
Can be unreliable since the system can respawn or kill processeswithout affecting other functionality.
I Hardware isolated concurrent executions of programs
I Written in any language (currently C, C++, Lua and Rust-ish)
I Total control over their memory, including dynamic heapallocation.
I Similar to processes in other systems.
I Separate stacks allows preemptive executionI Memory isolated by the hardware
I Interact with kernel over a small but flexible system-callinterface:
I command, subscribe, allowI yield, memop
![Page 15: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/15.jpg)
HW Timer
Process
Process
Process
ProcessScheduler
IRQDispatch
comman
d
subscribe
allow
Virtual Alarm Timer SysCalls
Timer Driver
![Page 16: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/16.jpg)
What happens when the kernel requires dynamic resources torespond to a request from a process?
I We want to allow arbitrary apps so we don’t knowconcurrency requirements:
I How many timers will an application need?I Will it use SPI, UART, USB, Bluetooth, etc? One socket?
1000 sockets?
I If the kernel allocates memory for requests dynamically, it mayrun out of resources.
![Page 17: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/17.jpg)
ThreadsKernelRAM
SyscallRAM
MaxUsed
1 3506 712 158
2 4216 1422 316
3 4928 2134 474
TOSThreads has low memory efficiency. Static allocation costs710-712 bytes per thread, of which at most 158 bytes (22%) canbe in use at any time. These numbers do not include the threadstacks, each of which can be less than 100 bytes.
![Page 18: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/18.jpg)
Grants
Tock allows a process to “grant” to the kernel portions of its ownmemory, which the kernel can use to maintain state for processrequests.
I Separate sections of kernel heap located in each process’smemory space.
I Grant allocations for one process do not affect kernel’s abilityto allocate for another.
I Type-safe interface guarantees all grants for a process can befreed immediately if the process dies.
I Basic idea: kernel API ensures there are no long-livedpointers directly to grant-allocated memory.
![Page 19: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/19.jpg)
![Page 20: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/20.jpg)
Grant Requirements
I Process cannot access grant allocated memory
I We use an additional, dynamically determined MPU rule
I Ensure grant-allocated values unavailable to capsules onceprocess dies through limited API:
I Capsules pass a closure to the enter methodI Memory in a grant region only accessible from within closureI Pointers to grant memory cannot escape the closureI Implications on kernel design: should avoid cross process
data-structures
![Page 21: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/21.jpg)
impl<T: Default> Grant {fn create() -> Grant<T>
fn enter<F,R>(&self, proc_id: ProcId, func: F)
-> Result<R, Error> where
F: for<’b> FnOnce(&’b mut Owned<T>) -> R, R: Copy
fn each<F>(&self, func: F) where
F: for<’b> Fn(&’b mut Owned<T>)
}
![Page 22: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/22.jpg)
Grants Compared to the Alternative
Recall: TOSThreads requires 700 bytes staticaly allocated in thekernel for each additional thread. At most 22% can be used at anygiven time.
I Grants require no additional per-thread memory in the kernel
I Only useful memory is dynamically allocated in grants
I Zero wasted memory since it can re-use memory fornon-concurrent operations.
![Page 23: Safely and Efficiently Multiprogramming a 64kB Computer › talks › tock-sitp17.pdf · 2020-04-15 · Encryption Oracle Virtual Endpoint Count Emerging class of embedded applications](https://reader033.vdocuments.site/reader033/viewer/2022060509/5f257353d147bf4eea1d1800/html5/thumbnails/23.jpg)
Conclusion
I Resource constraints continue to be a challenge for embeddedsystem designers.
I Low-power, small form-factors and lower cost
I These limitations should not preclude software abstractionsand protections common in general-purpose computers.
I Tock provides both dynamic operation and dependability inresource-constrained settings.
I Best of all: flexible multiprogramming, isolation, systemdependability
I Grants split the kernel heap across processes, allowing dynamicdemands for kernel resources despite limited system memory
Buy a Hail! https://tockos.org/hardware/hail